From 8e8d3592fe77e60a40fcb6b3289ff2a3bf6e3df8 Mon Sep 17 00:00:00 2001
From: Rudransh Jaiswal <rudranshjaiswal1@gmail.com>
Date: Thu, 11 Jun 2026 13:35:21 +0530
Subject: [PATCH] fix: attach only safe user fields to req.user

---
 backend/src/middleware/auth.js          | 13 ++++++++++++-
 backend/src/modules/auth/auth.routes.js |  3 +--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/backend/src/middleware/auth.js b/backend/src/middleware/auth.js
index 6770906..169aee8 100644
--- a/backend/src/middleware/auth.js
+++ b/backend/src/middleware/auth.js
@@ -4,7 +4,18 @@ async function attachUser(req, _res, next) {
   const userId = req.cookies?.splitt_session;
   if (!userId) return next();
 
-  const user = await prisma.user.findUnique({ where: { id: userId } });
+  const user = await prisma.user.findUnique({
+    where: { id: userId },
+    select: {
+      id: true,
+      email: true,
+      name: true,
+      picture: true,
+      phone: true,
+      thumbsUp: true,
+      thumbsDown: true,
+    },
+  });
   if (user) req.user = user;
   next();
 }
diff --git a/backend/src/modules/auth/auth.routes.js b/backend/src/modules/auth/auth.routes.js
index ce94e23..414535f 100644
--- a/backend/src/modules/auth/auth.routes.js
+++ b/backend/src/modules/auth/auth.routes.js
@@ -5,8 +5,7 @@ const { requireAuth } = require('../../middleware/auth');
 const router = express.Router();
 
 router.get('/me', requireAuth, (req, res) => {
-  const { id, email, name, picture, phone, thumbsUp, thumbsDown } = req.user;
-  res.json({ id, email, name, picture, phone, thumbsUp, thumbsDown });
+  res.json(req.user);
 });
 
 router.post('/logout', (_req, res) => {